[PATCH] Add command 'check' to check passwords against HIBP

Tristan Miller psychonaut at nothingisreal.com
Fri Jan 18 10:14:00 CET 2019


On Thu, 17 Jan 2019 14:48:04 -0800, Pass Word
<passwordstore at 89vx.net> wrote:
> Someone asked on irc today for an option to check passwords against
> the Have I Been Pwned website to see if they are already
> compromised.  It is probably extremely rare for a password generated
> with pass to already be on there but whatever, it is still somewhat
> useful to check other passwords you might have stored in pass.

I wouldn't say that finding a pass-generated password listed on Have I
Been Pwned is "extremely rare" -- the breaches recorded there
come from websites that stored passwords insecurely (such as in
plaintext). So no matter how secure a password you chose for such a
website, it will still be catalogued on HIBP.

I do generate all my passwords randomly, and use a unique password on
each site.  Still, it's important for me to know if any of these are
compromised so that I can change the password on the affected site.
Thanks to the other posters in this thread for sharing the tools they
use to mass-check the password store against HIBP in a secure way.


                  Tristan Miller
Free Software developer, ferret herder, logologist
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20190118/7f475720/attachment.asc>

More information about the Password-Store mailing list